HIPAA Security Rule

The HIPAA Security Rule establishes national standards for protecting electronic PHI (ePHI). DocuStack implements controls across all three safeguard categories.

Administrative Safeguards (§164.308)

HIPAA Requirement	Section	DocuStack Implementation
Security Management Process	§164.308(a)(1)	Risk assessments, security policies, sanction policy
Risk Analysis	§164.308(a)(1)(ii)(A)	Annual risk assessments, continuous monitoring via AWS Config
Risk Management	§164.308(a)(1)(ii)(B)	Security controls, vulnerability management, patch management
Sanction Policy	§164.308(a)(1)(ii)(C)	Employee handbook, security policy violations
Information System Activity Review	§164.308(a)(1)(ii)(D)	CloudTrail analysis, CloudWatch alarms, Security Hub
Assigned Security Responsibility	§164.308(a)(2)	Designated Security Officer, documented responsibilities
Workforce Security	§164.308(a)(3)	Background checks, access provisioning/deprovisioning
Authorization and Supervision	§164.308(a)(3)(ii)(A)	Role-based access, manager approval for access
Workforce Clearance	§164.308(a)(3)(ii)(B)	Background checks for PHI access
Termination Procedures	§164.308(a)(3)(ii)(C)	Immediate access revocation, exit procedures
Information Access Management	§164.308(a)(4)	IAM Identity Center, least privilege
Access Authorization	§164.308(a)(4)(ii)(B)	Documented access approval process
Access Establishment/Modification	§164.308(a)(4)(ii)(C)	IAM policies, access reviews
Security Awareness Training	§164.308(a)(5)	Annual training, phishing simulations
Security Reminders	§164.308(a)(5)(ii)(A)	Regular security communications
Protection from Malware	§164.308(a)(5)(ii)(B)	Endpoint protection, container scanning
Log-in Monitoring	§164.308(a)(5)(ii)(C)	CloudTrail, failed login alerts
Password Management	§164.308(a)(5)(ii)(D)	IAM password policy, MFA enforcement
Security Incident Procedures	§164.308(a)(6)	Incident response plan, breach notification
Response and Reporting	§164.308(a)(6)(ii)	Documented IR procedures, 24-hour response
Contingency Plan	§164.308(a)(7)	Disaster recovery, business continuity
Data Backup Plan	§164.308(a)(7)(ii)(A)	RDS automated backups, S3 versioning
Disaster Recovery Plan	§164.308(a)(7)(ii)(B)	Multi-AZ deployment, cross-region backup
Emergency Mode Operation	§164.308(a)(7)(ii)(C)	Degraded mode procedures
Testing and Revision	§164.308(a)(7)(ii)(D)	Annual DR testing
Evaluation	§164.308(a)(8)	Annual security assessments, penetration testing
Business Associate Contracts	§164.308(b)(1)	BAAs with AWS, subprocessors

Physical Safeguards (§164.310)

HIPAA Requirement	Section	DocuStack Implementation
Facility Access Controls	§164.310(a)(1)	AWS data center controls (AWS responsibility)
Contingency Operations	§164.310(a)(2)(i)	Multi-AZ, multi-region capability
Facility Security Plan	§164.310(a)(2)(ii)	AWS SOC 2 reports
Access Control and Validation	§164.310(a)(2)(iii)	AWS physical security
Maintenance Records	§164.310(a)(2)(iv)	AWS maintenance procedures
Workstation Use	§164.310(b)	Remote work policy, endpoint security
Workstation Security	§164.310(c)	Endpoint encryption, MDM
Device and Media Controls	§164.310(d)(1)	No local PHI storage, cloud-only
Disposal	§164.310(d)(2)(i)	S3 lifecycle policies, secure deletion
Media Re-use	§164.310(d)(2)(ii)	AWS handles hardware lifecycle
Accountability	§164.310(d)(2)(iii)	Asset inventory, tagging
Data Backup and Storage	§164.310(d)(2)(iv)	Encrypted backups, versioning

Technical Safeguards (§164.312)

HIPAA Requirement	Section	DocuStack Implementation
Access Control	§164.312(a)(1)	IAM Identity Center, RBAC
Unique User Identification	§164.312(a)(2)(i)	Individual IAM users, no shared accounts
Emergency Access Procedure	§164.312(a)(2)(ii)	Break-glass procedures documented
Automatic Logoff	§164.312(a)(2)(iii)	Session timeouts, token expiration
Encryption and Decryption	§164.312(a)(2)(iv)	KMS encryption for S3, RDS, EBS
Audit Controls	§164.312(b)	CloudTrail, VPC Flow Logs, CloudWatch
Integrity	§164.312(c)(1)	S3 versioning, checksums
Mechanism to Authenticate ePHI	§164.312(c)(2)	Digital signatures, checksums
Person or Entity Authentication	§164.312(d)	MFA, SSO, certificate-based auth
Transmission Security	§164.312(e)(1)	TLS 1.2+ everywhere
Integrity Controls	§164.312(e)(2)(i)	TLS, checksums
Encryption	§164.312(e)(2)(ii)	TLS 1.2+ for all data in transit

AWS Config Rules for HIPAA

Rule	Purpose	HIPAA Mapping
encrypted-volumes	EBS encryption required	§164.312(a)(2)(iv)
s3-bucket-server-side-encryption-enabled	S3 encryption required	§164.312(a)(2)(iv)
rds-storage-encrypted	RDS encryption required	§164.312(a)(2)(iv)
vpc-flow-logs-enabled	Network logging required	§164.312(b)
access-keys-rotated	Key rotation (90 days)	§164.308(a)(5)(ii)(D)
cloudtrail-enabled	API logging required	§164.312(b)
iam-password-policy	Password complexity	§164.308(a)(5)(ii)(D)
mfa-enabled-for-iam-console-access	MFA required	§164.312(d)
root-account-mfa-enabled	Root MFA required	§164.312(d)

Service Control Policies for HIPAA

SCP	Effect	HIPAA Mapping
Region Restriction	Only us-east-1 allowed	Data residency
S3 Encryption Required	Block unencrypted S3 uploads	§164.312(a)(2)(iv)
CloudTrail Protection	Prevent trail deletion/modification	§164.312(b)
Log Archive Protection	Deny object deletion	§164.312(b)
Deny Public S3	Block public bucket policies	§164.312(e)(1)

Vendor Management

Vendor	Service	BAA Status	Risk Assessment
AWS	Cloud infrastructure	Signed	Annual
GitHub	Source code hosting	Signed	Annual
Slack	Team communication	Signed	Annual

Compliance Checklist

Pre-Deployment

• S3 buckets encrypted with KMS CMK
• RDS encrypted with KMS CMK
• EBS volumes encrypted
• TLS 1.2+ enforced on all endpoints
• VPC Flow Logs enabled
• No public IPs on compute resources
• VPC endpoints configured for AWS services
• Security groups follow least privilege
• IAM Identity Center configured
• MFA enforced for all users
• No long-lived access keys
• CloudTrail enabled (organization trail)
• CloudTrail logs encrypted
• Log Archive account configured
• SCPs protect log integrity
• AWS Config enabled
• HIPAA conformance pack deployed
• Security Hub enabled
• GuardDuty enabled

Ongoing Tasks

Task	Frequency	Owner
Review CloudTrail logs	Daily	Security team
Review Security Hub findings	Daily	Security team
Review GuardDuty findings	Daily	Security team
Access review	Quarterly	Security team
Vulnerability scan	Monthly	Security team
Security training	Annual	All employees
Risk assessment	Annual	Security team
Penetration test	Annual	Third party
DR test	Annual	Operations team
Policy review	Annual	Security team
BAA review	Annual	Legal/Compliance

Related

• Compliance Overview
• SOC 2 Trust Services
• Technical Controls